Europe map
Image: Christian Lue via Unsplash

New threat group hacked EU healthcare agency and embassies, researchers say

A new hacking group is targeting European countries and organizations in an espionage campaign that began in June 2022, according to new research.

Cisco’s Talos cybersecurity team calls the new group “YoroTrooper” and said it has already successfully compromised accounts connected to a “critical” European Union healthcare agency and the World Intellectual Property Organization (WIPO). The researchers also found that it attacked several embassies.

“Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the CIS [Commonwealth of Independent States],” which includes countries like Azerbaijan, Kyrgyzstan and Turkmenistan, the researchers said.

“There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language.”

The goal of the campaign is espionage, with the hackers creating malicious domains or spoofing commonly-visited ones from CIS entities that host malware. Victims are also compromised through malicious shortcut files and decoy PDF documents sent to targets in phishing emails.

Cisco Talsos timeline

The group has already been able to steal credentials, browser histories, system information and screenshots in attacks seen by Cisco researchers. They primarily use custom-built information stealers and remote access malware.

Cisco found at least three separate clusters of activity connected to the campaign since it began operating in June 2022, with several malicious domains created that spoof legitimate European Union government agencies.

The hackers stole information during successful attacks on embassies belonging to Turkmenistan and Azerbaijan. The attacks gave the hackers access to credentials that Cisco said would be useful for lateral movement during subsequent attacks and browsing histories that are key for understanding what domains to spoof in future attacks.

Cisco was able to tie the campaign to PoetRAT – another hacking team the company discovered in 2020 after several attacks on Azerbaijan embassies and other government agencies.

The researchers could not find concrete ties between the operators of PoetRAT and YoroTrooper but said the tactics, tools and victims indicated similarities. Both used specialized Python-based tools and targeted Azerbaijan – specifically their embassies – the energy sector and government institutions.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.